Conventional communications networks often employ data security techniques to ensure the integrity and authenticity of data transmitted over the network. Communications devices within such networks use cryptographic operations, such as encryption and authentication, to protect the transmitted data from security threats. Such security threats include loss of privacy, loss of data integrity (tampering), identity spoofing, and denial of service, to name several. The conventional data security techniques attempt to protect communications from such attacks.
Traditionally, certain authoritative entities have sought to maintain control over various types of electronic communication. For example, a corporation typically limits or restricts personal telephone and email use during working hours. Government entities have endorsed limited use of wiretaps and other communications surveillance for law enforcement and national security reasons. More recently, certain courts have imposed duties on employers to exercise reasonable care that communications equipment is not being used for illegal, illicit, or offensive communications, for example through the use of email and web browsers. Encryption technology, however, hinders the ability of third parties to control and monitor such communications. Accordingly, certain authorities have attempted to mandate, by fiat or legislation, controlling measures such as registration of security measures, requiring the use of certain technology, escrowing security instruments (e.g., secret keys) used for encryption, and registration of such secret keys.
Attempts to regulate the use of encryption technology have met with limited success. Federal legislation imposes export controls on software and hardware enabling keys exceeding a certain size. Other political and sociological factors weigh in on the lawful restriction and enforcement of encryption technology. Certain groups oppose the notion of limiting or regulating the use of communications technology based on privacy and other First Amendment grounds. Accordingly, the debate over third party (e.g., government, corporate, or other sovereign) oversight of data security measures has the practical effect of impeding the standardization and widespread adoption of available encryption technology for routine communications.
For example, the National Security Agency (NSA) at one time endorsed a device called a “clipper” chip as a means of embedding a “back door” onto computing devices that would facilitate the ability of law enforcement agencies to bypass encryption security measures. Difficulties with mandating the inclusion of such a chip in widely distributed hardware baselines resulted in the failure of this approach. Also, since computing hardware tends to be rapidly deployed, inability to retrofit widely disseminated hardware installations limits the effectiveness of incorporating such technology only in new devices.
Conventional Public Key Infrastructures (PKIs) incorporate Certificate Revocation Lists (CRLs) to propagate keys that have been revoked and therefore should not be trusted. However, a conventional implementation employing CRLs requires authentication through a known chain of certification authorities (CAs) that have authenticated the revoked key. Accordingly, CRLs impose substantial overhead and have not been widely employed for this reason.
Key Escrow attempts have also proven unwieldy due to implementing a mechanism to legislate and enforce such requirements. Key escrow requirements exist in various situations involving governmental and/or corporate communication policies, however, the policy makers have difficulty enforcing compliance with such a key escrow policy. Such policy makers are usually able to enforce key escrow most efficiently when they actually issue the keys to the individual end-users, but even in such cases they may not able to ensure that no unauthorized keys are also being used. This may be because of indifference and resistance by the user, who may be opposed to, or simply not want to be bothered with, voluntary proactive deposit of the key. Also, storage and cataloging of keys imposes substantial overhead and consumption of resources on the escrowing agent. Further, forcing involuntary deposit also meets substantial political, legal, and implementation hurdles. For the above reasons, efficient and practical enforcement of generalized security technology registration and enforcement has not been feasible.